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Rising traffic density, along with autonomy and diversity of vehicles in the air, will 
fundamentally change the safety environment of the future air transportation system. The 
change in risk is two-fold: increasing chances of mid-air collisions with non-cooperative 
objects and increasing chances of crashes over highly populated areas. The changing nature 
of the vehicles populating the airspace means that civilian aircraft design must now explicitly 
include considerations of survivability in the event of collision with other vehicles, as well as 
prevention of damage to people, animals and property on the ground, to a much greater 
extent than today. This paper offers a preliminary perspective on how MDAO could 
contribute toward these goals. One of the conclusions is that, in contrast to traditional 
vehicle design, to accommodate the complexity of the future airspace safely and efficiently, 
vehicle design requirements, modeling, and design optimization must be closely connected to 
the properties of the airspace, including those of other vehicles in the air. Thus, the total 
measure of a vehicle’s survivability should include the traditional survivability in 
malfunction scenarios, combined with new considerations of survivability in collisions and 
survivability of the public on the ground. 


I. Introduction 


he changing nature of airspace presents vast challenges to vehicle design and airspace control. Whether a 

massive influx of on-demand urban air transportation, such as air taxis”, is imminent, realistic or desirable is 
open to argument. However, the density of air traffic over highly populated areas will increase, at the very least with 
the growing presence of unmanned aerial systems (UAS), including autonomous (self-governing) vehicles. Rising 
densities, along with autonomy and diversity of vehicles in the air, will fundamentally change the safety 
environment of the future air transportation system. On the one hand, increased automation and autonomy present an 
opportunity to manage greater densities of traffic, not amenable to handling by humans alone. On the other, 
machine-learning-based autonomous mechanisms are subject to a great deal of uncertainty in realistic environments, 
given that traditional validation and verification techniques no longer apply. 

The Federal Aviation Administration (FAA) is partnering with industry to promote safe use of UAS*. The main 
approach to safety is separation of various domains in the air and on the ground, e.g., via Geofencing*. Separation 
and other risk mitigation measures have been proposed in, e.g., [Ref. 1]. These measures will safeguard operations 
in large portions of airspace. However, they rely on voluntary cooperation of all participants and a minimum level of 
functioning equipage. While the majority of the airspace participants will exhibit cooperative behavior, some will 
not. UAS interfering with firefighting efforts in California in July 2015 are one well-known example of non- 
cooperative behavior with potentially serious consequences’. Non-cooperative behavior, whether due to inadequate 
equipment, lack of information, or ill intent, will be aggravated with increasing air traffic density. 

Civilian UAS are still relatively small, light, short-range, and low-altitude vehicles, vulnerable to bad weather. 
However, the hard components of UAS — the battery, the engine, the camera — present danger to engines on large 
aircraft and to windshields on small aircraft. Recent computational investigations into UAS ingestion into engines 


' Senior Research Scientist, Mail Stop 442, AIAA Associate Fellow 
* http://www. businessinsider.com/uber-elevate-flying-cars-2016-10 
* http://knowbeforeyoufly.org/ 
* http://www.gizmag.com/nasa-air-traffic-control-drones/36509/ 
*http://www.npr.org/2015/07/23/425654435/california-firefighters-forced-to-call-off-missions-after-drone- 
interference 
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confirm the potential hazardous effects of collision with UAS [Refs 2, 3]. Non-cooperative behavior, whether 
unwitting or intentional, will present growing danger to aircraft carrying passengers, as well as humans on the 
ground, as availability of UAS and density of UAS traffic increase. 

If the vision of on-demand urban transportation materializes, the density of larger-than-drones traffic over highly 
populated areas will present a serious safety challenge as well. The safety record of general aviation (and general 
aviation would subsume urban air transportation) is considerably worse than that of commercial aviation®. Piloted 
air taxis will be subject to the same problems as piloted GA aircraft; and arguably, fully autonomous aircraft will 
remain impractical for some time. 

To summarize, the new risks are two-fold: increasing chances of mid-air collisions with non-cooperative objects 
and increasing chances of crashes over highly populated areas. This suggests two major directions for mitigating the 
risks: maintain flight or, if you cannot, complete flight so as to avoid or minimize damage on the ground; and in all 
cases, minimize the loss of life. While a great deal of mitigation would have to rely on the developments in sensors 
and adaptive learning algorithms, vehicle design would have an important role to play as well; hence the need to 
consider potential contributions from MDAO. In the following sections, we offer an initial analysis of the 
survivability problem, as a function of technology, and comment on the role of MDAO in reducing the new risks. 


II. Survivability in Collisions 


Traditionally, survivability has been a concern of the military domain. Civilian aircraft design has had to deal 
with a more limited set of survivability issues, such as the impact of bird strikes, weather, fire, and mechanical 
failure. Danger from collisions with other aircraft has been prevented through tight regulation and control of the 
airspace, with predetermined separation constraints; and directions provided by the external air traffic control system 
and some on-board equipment. Increasing density of traffic and the potential presence of non-cooperative vehicles 
mean that civilian aircraft design must now explicitly include considerations of survivability in the event of collision 
with other vehicles. 

One of the most important features of mid-air encounters with non-cooperative objects is the extremely 
short duration of the event. For instance, during the “Miracle-on-the-Hudson” incident (15 January 2009, US 
Airways Flight 1549), only 1.5 seconds elapsed between the pilots noticing the flock of birds and the bird strikes 
that ultimately downed the aircraft. 

The external air traffic control system, the human pilots, and (at present) the aircraft control system cannot take 
protective action at such time scales. Maneuverability of large passenger aircraft and the effects of sharp maneuvers 
on passengers are also a factor. To ensure the safety of humans on an aircraft, intelligent systems must detect 
(sensing and perception are involved) a non-cooperative UAS automatically, make an autonomous machine 
decision, and affect the controls to implement it, all in time for the aircraft systems’ actions to weaken the collision 
and mitigate its consequences. Arguably, these technologies, while in development, will not be mature for quite 
some time. Perception and real-time autonomous machine decision-making are particularly difficult problems, even 
assuming adequate sensors. 

The premise of this discussion is that the risk of collision of aircraft carrying humans (pilots and/or passengers) 
with non-cooperative aircraft will increase, despite automatic collision avoidance systems, such as Traffic Alert and 
Collision Avoidance System (TCAS) [Ref. 4] and its probable successor, the Airborne Collision Avoidance System 
(ACAS X) [Ref. 5]. Thus, the discipline of survivability has to be included in Multidisciplinary Design Analysis and 
Optimization (MDAO), on par with traditional disciplines or in some other appropriate form. 


A. Summary of a Preliminary Study 
In a previous paper [Ref. 6], we reported on an initial study of survivability in collisions, with bird strikes as one 
of the main sources of data. Here is a summary of the preliminary observations: 

e Engines. Approximately 50% of all bird strikes involve the aircraft engine. The number increases to 
over 75% for airliners (see, e.g., [Ref. 7]). Patents for jet engine deflectors abound’. However, airlines 
have not adopted any screens for a number of reasons: a screen strong enough to take an impact at 
aircraft speeds may weigh too much to allow operation; a screen would be a source of turbulence at the 
intake, causing a potential loss of lift; finally, debris from a broken screen may be a source of secondary 
damage for the engine. 


° http://www. livescience.com/49701 -private-planes-safety.html 
’ http://patents.justia.com/patent/8968437 
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Engine certification requires designing and planning for operations after bird strikes occur. A “large 
flocking bird” requirement (2007) stated that the engine must function at a specified performance after 
ingesting a 5.0 pound bird®. It has since been determined that the bird-ingestion design case is not 
defined by the highest kinetic energy case, but rather by the lowest operating speed, where larger pieces 
of a bird will cause more damage to the engine core. Despite these requirements, birds have disabled 
aircraft, pointing to a great deal of uncertainty in the thresholds set in the requirements, as well as the 
difficulty of including every bird strike scenario. Moreover, existing requirements based on birds would 
not address the ingestion of a UAS. At high speeds, organic matter has fluid-like behavior, which 
prevents extrapolation to UAS. Developments in incorporating empirical data into higher-fidelity 
computational modeling are needed. Computational modeling in [Refs 2, 3] compares the effects of 
UAS ingestion with that of organic matter. 

e Agility. Evasive maneuvers may not be an obviously promising direction for avoiding time-critical 
encounters. A Boeing source” warns pilots: “Avoid or minimize maneuvering at low altitudes to avoid 
birds”. Agile maneuvering to avoid UAS may not be acceptable on a civilian aircraft, even if proven to 
be structurally and mechanically feasible, due to physiological constraints on passengers. 

e Structures. An impact of a bald eagle (average weight 12 pounds) on an airplane climbing at 200 mph 
would produce the kinetic energy of a half-ton weight dropped from a height of 16 feet. Structural 
protection may be difficult for even moderate at-rest mass of a colliding object. Military aviation knows 
examples of non-parasitic armor that has provided great protection against enemy ammunition in 
combat [Ref. 8]. Although adequate structural enhancements in the form of ruggedized structure, or 
armor, may appear to be prohibitive in civil aviation in terms of performance and cost effects, 
consideration of new designs with inclusion of organic ruggedized structures is needed, given the 
potential severe consequences of collisions. Other structural measures, such as re-arrangement of 
critical components may be considered. 


B. General Comments on Solutions 

The uncertainties and the potentially disastrous outcomes of collisions with non-cooperative UAS (and in 
particular, with flocks of UAS) suggest that the absolute best solution is prevention. Detecting hazards in time to 
avoid collisions is infinitely preferable to attempting recovery following a collision. Detect-and-avoid capabilities 
are in continual development but are not nearly ready for prime time, with perception presenting one of the main 
difficulties. Interestingly, some of the airspace modernization plans, e.g., the replacement of radar with ADS-B'° 
would make the detection of such obstacles as the flocks of birds more difficult: radars can detect flocks; ADS-B 
depends on transmission of information. 

Given the difficulty of detection and avoidance under the complex conditions of a realistic and dense 
environment, it is impossible, in principle, to prevent a certain amount of safety degradation in dense autonomous 
airspace, at least in the foreseeable future. Therefore, an aircraft carrying passengers requires explicit survivability 
enhancements, to maintain passenger safety. 

Adding armor is the least desirable option because of the inevitable loss of performance. However, including the 
ruggedizing considerations in early stages of design may minimize performance losses. Other survivability 
measures (maneuvers, control, component and function health monitoring, self-healing, and so on) will require the 
development of autonomous intelligent systems, to assess and mitigate certain types of collisions, especially those 
involving several threats at close range. 


C. Potential MDAO Contributions 

Survivability in combat in the military domain has been studied comprehensively (see, e.g., [Refs 8-32]) and 
offers valuable directions for potential contributions from MDAO. Survivability in the probabilistic framework of 
[Ref. 8] is the probability of survival and is the complement of killability. Killability is measured along a gradation 
that includes an inability to complete a mission. In the civilian domain, we can use a more explicit measure — non- 
survivability in collisions, P{,, because the primary mission of the aircraft is to deliver humans on board to the 
ground safely (and, in addition, not kill anyone on the ground). Not fulfilling the mission of delivering passengers or 
cargo to a destination, after a collision, still satisfies survivability if everyone survived. Thus, 

Peat = Pre. 


* https://www.skybrary.aero/index.php/Aircraft_Certification_for_Bird_Strike_Risk 
* http://www.boeing.com/commercial/aeromagazine/articles/2011_q3/4/ 
'° http://airportjournals.com/ads-b-to-replace-expensive-radar-system/ 
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Non-survivability is a function of the aircraft’s susceptibility and vulnerability. Susceptibility, P§, is the 

probability of being hit. Vulnerability, Pris y> 1s the conditional probability of not surviving upon being hit: 
P§ =1- Pys =1— PRPNsin- 

Applied to civil aviation, the measure quantifies the chances of survival defined as either not being hit or, if hit, 
not crashing. 

The probabilities are decomposed further, based on specific scenarios and events. The quantification of 
probabilities in the military domain is done via construction of scenarios, event tree diagrams, simulations, and tests. 
Improving P£ requires reductions in susceptibility and vulnerability. 


Susceptibility 

Susceptibility answers the question: can you get out of harm’s way or remove the hazard? 

The civilian domain offers susceptibility challenges that differ from those in the military domain, the 
dissimilarity due to both the aircraft properties and airspace properties. How dense is the airspace? How often does 
one encounter a non-cooperative aircraft? What are the likely relative velocities and maneuverability properties of 
both the designed and the likely non-cooperative aircraft? What are the detect/sense/avoid (DSA) capabilities of 
aircraft under design? Susceptibility can be summarized as a combination of the threat, the aircraft, and the scenario. 

In terms of the threat, the civilian domain is easier than the military domain in some respects and harder in 
others. Encountering a non-cooperative UAS in civilian airspace would likely be a random event, whose probability 
would depend on the density and attributes of traffic at specific layers, with rare exceptions of malicious 
participants. Opinions as to the probabilities differ (see e.g., [Ref. 1]), and there are not enough data to formulate a 
historical model. However various models of the probabilities as a function of density give a good idea of how 
density impacts chances of collisions with random objects. For instance, [Ref. 33] uses a gas particle model, and it is 
a reasonable approximation of the worst-case behavior without external regulation of airspace. It is particularly 
relevant to autonomous and non-cooperative players. One of the examples in [Ref. 33] discusses a case, where the 
baseline scenario has traffic densities that ensure many hours without 2-body and 3-body interactions. Only a ten- 
fold increase in traffic density yields evasive maneuvers every 20 minutes; with another ten-fold increase resulting 
in nearly continuous maneuvering, which leads to Brownian motion, rather than getting from point A to point B. The 
model is a highly idealized simplification of actual traffic, but it shows the trends in probabilities well. 

The aircraft contribution to susceptibility is a function of awareness, countermeasures and performance. MDAO 
does not appear to have an obvious opportunity for contribution in awareness (a function of intelligent systems, both 
onboard and remote) or in countermeasures. Randomness of the encounters means that, although non-cooperative 
objects are not as destructive as those in the military domain, their properties are not as known a priori and therefore 
cannot be predicted or modeled as well as in a combat situation. However, MDAO can play a large role in modeling 
and design for performance, such as speed and agility of some types of aircraft, given a set of requirements imposed 
by the likely composition of the airspace. For instance, the density and diversity of vehicles, combined with the 
range and accuracy of detection may lead to new requirements for aircraft agility. 

It is unlikely that airliners will gain great agility. However, if supported by appropriate sensing and automation, 
an aircraft may not be required to maneuver sharply by a large displacement. If an object is detected in time, even 
small changes in the path may suffice to weaken collisions with critical sections of the aircraft. Bounds on such 
actions would be a subject of combined aerodynamics and control study. Flocks of drones would present a more 
difficult problem, raising the question of adding countermeasures and structural features. 

For GA vehicles, the windshield is the most susceptible part of the aircraft: collisions with windshield account 
for more than 50% of bird strikes [Ref. 7]. For GA, windshield collisions result in the largest number of fatalities. A 
clear opportunity for MDAO to contribute here is through design of materials and radical re-design of the cockpit. 


Vulnerability 

The measure of vulnerability answers the question of how unlikely an aircraft is to land after being damaged, 
with the pilots and passengers intact. Because of the random factor in non-cooperative encounters, arguably, 
vulnerability reduction should be the emphasis of survivability improvement in civil aviation. 

In the military domain, vulnerability is addressed via the vulnerability program, which is also practiced in other 
safety-critical areas. The program has three tasks: identification of critical components and their damage modes; 
vulnerability assessment; and design for low vulnerability. 

The first task depends on the detailed technical description of a specific aircraft. The second stage depends, in 
addition, on the properties of the threat. The final stage relies on heuristically proposed measures and trade studies to 
determine relative merits of the proposed solutions. Solutions are based on a number of general principles: 
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e Critical component redundancy with separation. For example, multiple engines, control surfaces. 
NASA’s SCEPTOR [Ref. 34] concept with its multiple engines is an example of this principle. 
e Critical component location and separation to prevent cascading damage. 
e Passive damage suppression via fault tolerant design and such technologies as high-strength and self- 
healing materials. 
e Active damage suppression via technologies that incorporate sensors, e.g., fire detection and 
suppression. 
e Critical component shielding by other components or additional structure. Model development is 
needed here to avoid parasitic shielding. 
e Critical component elimination. Replacing pilots with automation comes under this category. 
The principles of vulnerability reduction apply to civilian aircraft and to other safety-critical areas; and have 
been used in civil aviation to reduce vulnerability with respect to mechanical failure. However, the approach 
presents opportunities for improvement with MDAO techniques, especially in the design of new aircraft, as follows. 


Vulnerability as Objective/Constraint 

The probabilistic evaluation of vulnerability in the military domain appears to be based on a great deal of detailed 
design having been accomplished; vulnerability is an outcome of applying heuristic principles during design and an 
a posteriori evaluation; followed by corrections, which might require re-design. The trend in design of civilian 
aircraft is to increase discipline fidelity at earlier stages of design, to improve the quality of design and shorten the 
design cycle time. A purely probabilistic, post factum evaluation of vulnerability cannot be easily used as an 
objective function or a constraint in an MDAO formulation. Developing a computational model of vulnerability for 
use in MDAO formulation would be necessary. 


Uncertainty Quantification 

Given the need for a higher degree of survival assurance of each civilian aircraft carrying passengers, a great deal of 
accuracy would be needed for uncertainty quantification and propagation in the evaluation of vulnerability. 
Uncertainty quantification in the military domain is related to the characteristics of known weapons. Developing 


uncertainty quantification of impact for possible collision sources in civilian domain is needed. A recent study [Ref. 
2LCst2 


35] investigated UAS impact damage using the FAA penetration equation Vs) = | 


m cos2@’ 


where Vso is the ballistic 


limit, i.e., the velocity required to make a hole in a sheet of metal. Here m is the mass of the projectile, 0 is the angle 
of the impact, Csis a material property constant, L is the perimeter of the presented area of the projectile, and t is the 
thickness of the metal sheet. The analysis indicated that engine ingestion in an airliner, the likeliest event with 
probable loss of engine, is unlikely to be catastrophic. (However, the analysis was done for a single UAS; not a flock 
of UAS.) The analysis further predicted penetration of aluminum airframe for velocities 200 knots and above, 
regardless of UAV size and penetration predicted for fixed-wing UAV at low velocities. For GA aircraft, penetration 
was predicted likely at cruise speeds, regardless of UAV size; and likely for large UAV during approach. 
Windshield penetration results were highly uncertain as they depend on material properties and angle of the 
windscreen. These results are informative of the trends, but a significant increase in model fidelity is needed to 
reduce analysis uncertainty. 


Dimensionality 

Given thousands of components on an aircraft, the approach to identifying critical components, damage modes and 
potential mitigation via discrete enumeration is likely to give rise to problems of very large dimension, whereas 
reducing the design space for tractability may cause missed salient failure conditions or interesting designs. 
Appropriate problem decomposition and aggregation is a fruitful area of investigation for MDAO. 


Reliability, Robustness and Resilience 

Traditional reliability-based design and robust design address the majority of the issues that may arise as a result of 
damage inflicted by a collision. Whether the loss of all flight controls results from a catastrophic tail-mounted 
engine explosion, as it did on United Airlines Flight 232 DC-10 in 1989 in Sioux City, Iowa'' or from a prospective 
collision with a flock of UAS, the design measures of mitigation might be similar. However, different event 
probabilities may dictate different approaches to reliable designs. On the one hand, the three independent hydraulic 
systems on board of a DC-10 conformed to the principle of component redundancy. On the other, placed together, 


'' https://en.wikipedia.org/wiki/United_Airlines_Flight_232 
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they were at odds with the principle of critical component separation. Overall, the probability estimation of the event 
was based on an incorrect assumption that failures of the three hydraulic systems would be independent events. 
Given increased probabilities of collision, critical component redundancy and separation may become the main 
principle, which would call for a rigorous approach to uncertainty quantification and a formal optimization-based 
approach to component placement. 

In the environment of dense and diverse autonomy, reliability (operation in worst-case scenarios) has to be 
considered in close coordination with other related concepts of robustness (insensitivity to normal variations in 
operational parameters) and resilience (the ability to return to operation following a disturbance, even if only to 
reach a satisfactory final state). 

Whether vulnerability to collisions is viewed as a subset of the discipline of reliability or vice-versa, revisiting 
reliability, robustness and resilience from the perspective of vulnerability and survivability becomes especially 
important in the new environment because of the potential proliferation of new small aircraft and UAS designs that 
would not be subject to the careful engineering of airliners. 

The probabilistic definition of survivability, including susceptibility and vulnerability, should include reliability 
of the design to both collision-related damage and non-collision related failures. 


III. Survivability on the Ground 


Increased UAS traffic and the projected appearance of air taxis and private air vehicles, if realized, will increase 
risk to people on the ground, animals, and property in highly populated areas. The risk could be mitigated by 
restricting air traffic to specific air corridors. However, this measure would be at odds with the objectives of on- 
demand transportation (ODM), ultimately aimed at door-to-door delivery of cargo and people. 

It stands to reason that all measures aimed at ensuring the four elements necessary for flight — lift, thrust, control, 
and structural integrity — should be taken; e.g., intelligent systems performing continual monitoring of the health of 
the aircraft through sensors, improvements in maintenance, machine-pilot teaming to prevent pilot error (and 
eventually replacing the pilot with autonomous intelligent systems where appropriate), intelligent technologies in 
general (e.g., perception, real-time safety-critical decision-making for collision detection and avoidance, intelligent 
control); and design improvements (e.g., self-healing materials, propulsion control, resilient structures). Some of 
these measures are available now but safety and cost are trade-off quantities. Other measures have not reached their 
potential yet. Regardless, increased density implies increased chances of crashes. 

What happens if an aircraft is damaged would depend on the type of the aircraft. In case of a UAS, one 
promising approach is exemplified in the Safe2Ditch’* technology, which helps a malfunctioning UAS select the 
best and nearest emergency landing site and land. The system is based on continual monitoring of the UAS 
components, to detect imminent failure and control the system to maintain flight till the UAS reaches a landing site 
recommended by a database of safe landing sites and associated safe times. 

If a UAS is unable to land harmlessly, other approaches can be considered, depending on the attributes of the 
UAS, including the nature of its cargo. For instance, the use of a parachute or self-destruction may be viable options 
for an unmanned UAS unable to accomplish a safe or gentle landing. 

Design for landing harmlessly is a promising area for MDAO techniques in the case of aircraft carrying humans, 
because such techniques may involve a re-design of the aircraft. One obvious approach that has had significant 
success is a ballistic recovery system'*. As of mid-August 2016, the Cirrus Airframe Parachute System (CAPS) was 
successfully deployed 69 times out of 83 activations, with 142 survivors and one fatality. No fatalities, unsuccessful 
deployments or anomalies have occurred when the parachute was deployed within the certified speed and altitude 
parameters'*. CAPS focuses on ultralight vehicles. Larger vehicles may be amenable to parachuting if separable 
modules are equipped with ballistic recovery systems. 

Other design considerations'” for reducing the chances of crashes usually meet with cost limitations. MDAO 
could contribute by incorporating comprehensive cost modeling in the analysis of new configurations resistant to 
crashing and amenable to harmless landing. 


"*http://newatlas.com/nasa-safe2ditch-drone- 
safety/49489/?utm_source=Gizmag+Subscribers&utm_campaign=d2ec2a7708-UA-2235360- 
4&utm_medium=email&utm_term=0_65b67362bd-d2ec2a7708-91 183197 
'? https://en.wikipedia.org/wiki/Ballistic_Recovery_Systems 
'* https://www.cirruspilots.org/copa/safety_programs/w/safety_pages/723.cirrus-caps-history.aspx 
'S http://www.economist.com/news/science-and-technology/2 1660255-towards-crash-proof-aeroplane-quit-stalling 
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In any case, the probabilistic definition of survivability, including susceptibility and vulnerability, should include 
considerations of potential aircraft lethality to people on the ground. Thus, the total measure of vulnerability would 
be the sum of aircraft vulnerability to mechanical failure, vulnerability in collisions and vulnerability of people on 
the ground should the aircraft fall from the sky. 


IV. Total Survivability as a Challenge MDAO Problem 


Methods for increasing survivability in the military domain are a combination of rules, best practices, and 
probabilistic computations. Numerical values of survivability and its contributing factors — susceptibility and 
vulnerability — can be computed as probabilities of complex sequences of events; and improved by following the 
vulnerability reduction heuristics. The assessment of survivability, however, depends on the knowledge of a 
vehicle’s detailed design. Thus significant design effort is expended before survivability can be evaluated. 

Arguably, two of the main benefits of MDAO are the transition from discrete heuristic point designs to rigorous, 
optimization-based formulations, with early communications among the disciplines; and the shortening of the design 
cycle via prevention of premature detailed designs based on insufficient information. However, the application of 
MDAO techniques requires adequate modeling of the contributing disciplines and the ability to incorporate them in 
optimization formulations, including objective and constraints expressed as functions of design variables. In this 
respect, survivability presents a complex technical problem. 

Survivability is affected by contributions from all design disciplines: structures, agility, materials, propulsion, 
control, etc. all influence susceptibility and vulnerability. However, the connection between the traditional vehicle 
design variables and the measures of survivability is implicit and inferred. 

In a typical operational scenario, the sensory systems of the aircraft must continually monitor the external 
environment and internal state of the aircraft to inform the intelligent autonomous perception and decision making 
system, which, in turn, issues commands to the aircraft, to avoid a collision, weaken it, or recover sufficiently to 
deliver the passengers to the ground safely. The traditional disciplines are responsible for the actions dictated by the 
intelligent system to be physically implementable. In order to achieve this, survivability must be directly connected, 
through variables, objectives and constraints, with all relevant disciplines. 

Given the state of the art in contributing disciplines and MDAO, including survivability into MDAO on par with 
traditional computational disciplines presents a difficult challenge: for instance, adequate collision modeling would 
be computationally intractable and the required interdisciplinary interfaces have not been developed. Inclusion of 
survivability necessitates developments in computational modeling, manufacturing, materials, and MDAO problem 
synthesis, among other technologies. 

In this sense, survivability appears similar to the discipline of cost. Cost can be evaluated as an aggregate of 
parts, but it is difficult to include cost as an objective function in MDAO, on par with objectives from the physics - 
based disciplines, even though this goal has been among the desiderata of MDAO for a long time. However, given 
that survivability is related to reliability, there is hope that its formalization in terms of explicit design variables and 
associated objectives and constraints is not an insurmountable obstacle. Incorporating both survivability and cost 
into design formulations would be an even better approach, so that the trade-off between survivability and cost 
would be made explicit. 


V. Concluding Remarks 


Although the actual realization of the future airspace is uncertain, there are clear trends in the direction of 
increased density of traffic, and diversity and autonomy of vehicles. If the trends continue, complexity of airspace, 
especially over densely populated areas, will increase the chances of crashes due to mechanic and electronics 
failures, errors in machine decisions, human error, and mid-air collisions. 

While many sources of risk reduction rely on intelligent technologies, such as DSA, designing aircraft that 
ensures unprecedented reliability and resilience in the face of hazards, as well as graceful degradation of the 
systems, to prevent injuries, fatalities, and damage on the ground will play a major role in safe aviation. Developing 
adequate and actionable models of survivability is a challenge for MDAO. Of particular interest is a conversion of 
the vulnerability reduction principles to formalizations of design optimization. The difference between traditional 
MDAO and MDAO with survivability as an objective is the need to include airspace considerations in vehicle 
design explicitly. 
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